From: Jason Gunthorpe <jgg@nvidia.com>
To: Mostafa Saleh <smostafa@google.com>
Cc: acpica-devel@lists.linux.dev, Hanjun Guo <guohanjun@huawei.com>,
iommu@lists.linux.dev, Joerg Roedel <joro@8bytes.org>,
Kevin Tian <kevin.tian@intel.com>,
kvm@vger.kernel.org, Len Brown <lenb@kernel.org>,
linux-acpi@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
Lorenzo Pieralisi <lpieralisi@kernel.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
Robert Moore <robert.moore@intel.com>,
Robin Murphy <robin.murphy@arm.com>,
Sudeep Holla <sudeep.holla@arm.com>,
Will Deacon <will@kernel.org>,
Alex Williamson <alex.williamson@redhat.com>,
Eric Auger <eric.auger@redhat.com>,
Jean-Philippe Brucker <jean-philippe@linaro.org>,
Moritz Fischer <mdf@kernel.org>,
Michael Shavit <mshavit@google.com>,
Nicolin Chen <nicolinc@nvidia.com>,
patches@lists.linux.dev,
Shameerali Kolothum Thodi <shameerali.kolothum.thodi@huawei.com>
Subject: Re: [PATCH v2 2/8] iommu/arm-smmu-v3: Use S2FWB when available
Date: Tue, 10 Sep 2024 17:22:51 -0300 [thread overview]
Message-ID: <20240910202251.GJ58321@nvidia.com> (raw)
In-Reply-To: <ZuAlt9SsijRxuGLk@google.com>
On Tue, Sep 10, 2024 at 10:55:51AM +0000, Mostafa Saleh wrote:
> On Tue, Sep 03, 2024 at 08:33:40PM -0300, Jason Gunthorpe wrote:
> > On Tue, Sep 03, 2024 at 07:57:01AM +0000, Mostafa Saleh wrote:
> >
> > > Basically, I believe we shouldn’t set FWB blindly just because it’s supported,
> > > I don’t see how it’s useful for stage-2 only domains.
> >
> > And the only problem we can see is some niche scenario where incoming
> > memory attributes that are already requesting cachable combine to a
> > different kind of cachable?
>
> No, it’s not about the niche scenario, as I mentioned I don’t think
> we should enable FWB because it just exists. One can argue the opposite,
> if S2FWB is no different why enable it?
Well, I'd argue that it provides more certainty for the kernel that
the DMA API behavior is matched by HW behavior. But I don't feel strongly.
I adjusted the patch to only enable it for nesting parents.
> AFAIU, FWB would be useful in cases where the hypervisor(or VMM) knows
> better than the VM, for example some devices MMIO space are emulated so
> they are normal memory and it’s more efficient to use memory attributes.
Not quite, the purpose of FWB is to allow the hypervisor to avoid
costly cache flushing. It is specifically to protect the hypervisor
against a VM causing the caches to go incoherent.
Caches that are unexpectedly incoherent are a security problem for the
hypervisor.
> > > and we should only set FWB for coherent
> > > devices in nested setup only where the VMM(or hypervisor) knows better than
> > > the VM.
> >
> > I don't want to touch the 'only coherent devices' question. Last time
> > I tried to do that I got told every option was wrong.
> >
> > I would be fine to only enable for nesting parent domains. It is
> > mandatory here and we definitely don't support non-cachable nesting
> > today. Can we agree on that?
>
> Why is it mandatory?
Because iommufd/vfio doesn't have cache flushing.
> I think a supporting point for this, is that KVM does the same for
> the CPU, where it enables FWB for VMs if supported. I have this on
> my list to study if that can be improved. But may be if we are out
> of options that would be a start.
When KVM turns on S2FWB it stops doing cache flushing. As I understand
it S2FWB is significantly a performance optimization.
On the VFIO side we don't have cache flushing at all. So enforcing
cache consistency is mandatory for security.
For native VFIO we set IOMMU_CACHE and expect that the contract with
the IOMMU is that no cache flushing is required.
For nested we set S2FWB/CANWBS to prevent the VM from disabling VFIO's
IOMMU_CACHE and again the contract with the HW is that no cache
flushing is required.
Thus VFIO is security correct even though it doesn't cache flush.
None of this has anything to do with device coherence capability. It
is why I keep saying incoherent devices must be blocked from VFIO
because it cannot operate them securely/correctly.
Fixing that is a whole other topic, Yi has a series for it on x86 at
least..
Jason
next prev parent reply other threads:[~2024-09-10 20:24 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-27 15:51 [PATCH v2 0/8] Initial support for SMMUv3 nested translation Jason Gunthorpe
2024-08-27 15:51 ` [PATCH v2 1/8] vfio: Remove VFIO_TYPE1_NESTING_IOMMU Jason Gunthorpe
2024-08-30 7:40 ` Tian, Kevin
2024-08-27 15:51 ` [PATCH v2 2/8] iommu/arm-smmu-v3: Use S2FWB when available Jason Gunthorpe
2024-08-27 19:48 ` Nicolin Chen
2024-08-28 18:30 ` Jason Gunthorpe
2024-08-28 19:47 ` Nicolin Chen
2024-08-28 19:50 ` Nicolin Chen
2024-08-30 7:44 ` Tian, Kevin
2024-08-30 7:56 ` Nicolin Chen
2024-08-30 8:01 ` Tian, Kevin
2024-08-30 15:12 ` Mostafa Saleh
2024-08-30 16:40 ` Jason Gunthorpe
2024-09-02 9:29 ` Mostafa Saleh
2024-09-03 0:05 ` Jason Gunthorpe
2024-09-03 7:57 ` Mostafa Saleh
2024-09-03 23:33 ` Jason Gunthorpe
2024-09-10 10:55 ` Mostafa Saleh
2024-09-10 20:22 ` Jason Gunthorpe [this message]
2024-09-17 9:48 ` Mostafa Saleh
2024-09-04 14:20 ` Shameerali Kolothum Thodi
2024-09-04 15:00 ` Jason Gunthorpe
2024-09-10 11:25 ` Shameerali Kolothum Thodi
2024-09-11 22:52 ` Jason Gunthorpe
2024-08-27 15:51 ` [PATCH v2 3/8] ACPICA: IORT: Update for revision E.f Jason Gunthorpe
2024-08-29 10:14 ` Rafael J. Wysocki
2024-08-27 15:51 ` [PATCH v2 4/8] ACPI/IORT: Support CANWBS memory access flag Jason Gunthorpe
2024-08-30 7:52 ` Tian, Kevin
2024-08-30 13:54 ` Jason Gunthorpe
2024-09-03 7:14 ` Tian, Kevin
2024-08-27 15:51 ` [PATCH v2 5/8] iommu/arm-smmu-v3: Report IOMMU_CAP_ENFORCE_CACHE_COHERENCY for CANWBS Jason Gunthorpe
2024-08-27 20:12 ` Nicolin Chen
2024-08-28 19:12 ` Jason Gunthorpe
2024-08-30 15:19 ` Mostafa Saleh
2024-08-30 17:10 ` Jason Gunthorpe
2024-08-27 15:51 ` [PATCH v2 6/8] iommu/arm-smmu-v3: Support IOMMU_GET_HW_INFO via struct arm_smmu_hw_info Jason Gunthorpe
2024-08-30 7:55 ` Tian, Kevin
2024-08-30 15:23 ` Mostafa Saleh
2024-08-30 17:16 ` Jason Gunthorpe
2024-09-02 10:11 ` Mostafa Saleh
2024-09-03 0:16 ` Jason Gunthorpe
2024-09-03 8:34 ` Mostafa Saleh
2024-09-03 23:40 ` Jason Gunthorpe
2024-09-04 7:11 ` Shameerali Kolothum Thodi
2024-09-04 12:01 ` Jason Gunthorpe
2024-09-06 11:19 ` Mostafa Saleh
2024-08-27 15:51 ` [PATCH v2 7/8] iommu/arm-smmu-v3: Implement IOMMU_HWPT_ALLOC_NEST_PARENT Jason Gunthorpe
2024-08-27 20:16 ` Nicolin Chen
2024-08-30 7:58 ` Tian, Kevin
2024-08-30 13:55 ` Jason Gunthorpe
2024-08-30 15:27 ` Mostafa Saleh
2024-08-30 17:18 ` Jason Gunthorpe
2024-09-02 8:57 ` Mostafa Saleh
2024-08-27 15:51 ` [PATCH v2 8/8] iommu/arm-smmu-v3: Support IOMMU_DOMAIN_NESTED Jason Gunthorpe
2024-08-27 21:23 ` Nicolin Chen
2024-08-28 19:01 ` Jason Gunthorpe
2024-08-28 19:27 ` Nicolin Chen
2024-08-30 8:16 ` Tian, Kevin
2024-08-30 14:13 ` Jason Gunthorpe
2024-08-30 14:39 ` Jason Gunthorpe
2024-08-30 16:09 ` Mostafa Saleh
2024-08-30 16:59 ` Nicolin Chen
2024-08-30 17:04 ` Jason Gunthorpe
2024-09-02 9:57 ` Mostafa Saleh
2024-09-03 0:30 ` Jason Gunthorpe
2024-09-03 1:13 ` Nicolin Chen
2024-09-03 9:00 ` Mostafa Saleh
2024-09-03 23:55 ` Jason Gunthorpe
2024-09-06 11:07 ` Mostafa Saleh
2024-09-06 13:34 ` Jason Gunthorpe
2024-09-10 11:12 ` Mostafa Saleh
2024-09-15 21:39 ` Jason Gunthorpe
2024-09-06 18:28 ` Jason Gunthorpe
2024-09-06 18:49 ` Nicolin Chen
2024-09-06 23:15 ` Jason Gunthorpe
2024-08-27 21:31 ` [PATCH v2 0/8] Initial support for SMMUv3 nested translation Nicolin Chen
2024-08-28 16:31 ` Shameerali Kolothum Thodi
2024-08-28 17:14 ` Nicolin Chen
2024-08-28 18:06 ` Shameerali Kolothum Thodi
2024-08-28 18:12 ` Nicolin Chen
2024-08-29 13:14 ` Shameerali Kolothum Thodi
2024-08-29 14:52 ` Shameerali Kolothum Thodi
2024-08-29 16:10 ` Nicolin Chen
2024-08-30 9:07 ` Shameerali Kolothum Thodi
2024-08-30 17:01 ` Nicolin Chen
2024-09-12 3:42 ` Zhangfei Gao
2024-09-12 4:05 ` Nicolin Chen
2024-09-12 4:25 ` Baolu Lu
2024-09-12 7:32 ` Zhangfei Gao
2024-10-15 3:21 ` Zhangfei Gao
2024-10-15 13:09 ` Jason Gunthorpe
2024-10-17 1:53 ` Zhangfei Gao
2024-10-17 11:57 ` Jason Gunthorpe
2024-10-16 2:23 ` Zhangfei Gao
2024-10-16 11:53 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240910202251.GJ58321@nvidia.com \
--to=jgg@nvidia.com \
--cc=acpica-devel@lists.linux.dev \
--cc=alex.williamson@redhat.com \
--cc=eric.auger@redhat.com \
--cc=guohanjun@huawei.com \
--cc=iommu@lists.linux.dev \
--cc=jean-philippe@linaro.org \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=kvm@vger.kernel.org \
--cc=lenb@kernel.org \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=lpieralisi@kernel.org \
--cc=mdf@kernel.org \
--cc=mshavit@google.com \
--cc=nicolinc@nvidia.com \
--cc=patches@lists.linux.dev \
--cc=rafael@kernel.org \
--cc=robert.moore@intel.com \
--cc=robin.murphy@arm.com \
--cc=shameerali.kolothum.thodi@huawei.com \
--cc=smostafa@google.com \
--cc=sudeep.holla@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).